Magento 1.9.2 File Inclusion

🗓️ 14 Sep 2015 00:00:00Reported by EgiXType

packetstorm🔗 packetstormsecurity.com👁 103 Views

Magento 1.9.2 File Inclusion Vulnerability in SOAP AP

Reporter	Title	Published	Views	Family All 12
0day.today	Magento 1.9.2 File Inclusion Vulnerability	16 Sep 201500:00	–	zdt
Tenable Nessus	Magento Community Edition < 1.9.2.1 Multiple Vulnerabilities	14 Oct 201600:00	–	nessus
CVE	CVE-2015-6497	15 Jan 202016:49	–	cve
Cvelist	CVE-2015-6497	15 Jan 202016:49	–	cvelist
EUVD	EUVD-2022-4273	3 Oct 202520:07	–	euvd
Github Security Blog	Magento arbitrary PHP code execution via the productData parameter	24 May 202217:06	–	github
NVD	CVE-2015-6497	15 Jan 202017:15	–	nvd
OSV	GHSA-J4FQ-3FM7-WH5V Magento arbitrary PHP code execution via the productData parameter	24 May 202217:06	–	osv
Prion	Code injection	15 Jan 202017:15	–	prion
securityvulns	[KIS-2015-04] Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability	26 Oct 201500:00	–	securityvulns

`-------------------------------------------------------------------------------  
Magento <= 1.9.2 (catalogProductCreate) Autoloaded File Inclusion Vulnerability  
-------------------------------------------------------------------------------  
  
  
[-] Software Link:  
  
http://magento.com/  
  
  
[-] Affected Versions:  
  
Version 1.9.2 and prior versions.  
  
  
[-] Vulnerability Description:  
  
The vulnerability is caused by the "catalogProductCreate" SOAP API implementation,  
which is defined into the /app/code/core/Mage/Catalog/Model/Product/Api/V2.php script:  
  
109. public function create($type, $set, $sku, $productData, $store = null)  
110. {  
111. if (!$type || !$set || !$sku) {  
112. $this->_fault('data_invalid');  
113. }  
114.   
115. $this->_checkProductTypeExists($type);  
116. $this->_checkProductAttributeSet($set);  
117.   
118. /** @var $product Mage_Catalog_Model_Product */  
119. $product = Mage::getModel('catalog/product');  
120. $product->setStoreId($this->_getStoreId($store))  
121. ->setAttributeSetId($set)  
122. ->setTypeId($type)  
123. ->setSku($sku);  
124.   
125. if (!property_exists($productData, 'stock_data')) {  
126. //Set default stock_data if not exist in product data  
127. $_stockData = array('use_config_manage_stock' => 0);  
128. $product->setStockData($_stockData);  
129. }  
  
User input passed through the "productData" SOAP parameter is not properly validated before being  
used in a call to the "property_exists()" function at line 125. This can be exploited by attackers  
with valid API credentials to include and execute arbitrary PHP code (both from local or remote  
resources) leveraging the Varien_Autoload::autoload() autoloading function. Successful exploitation  
of this vulnerability requires the application running on PHP before version 5.4.24 or 5.5.8.  
  
  
[-] Solution:  
  
Update to version 1.9.2.1 or apply the SUPEE-6482 patch bundle.  
  
  
[-] Disclosure Timeline:  
  
[27/02/2015] - Vendor notified  
[25/06/2015] - Vendor acknowledgement stating the issue will be fixed in the next release  
[04/08/2015] - Version 1.9.2.1 released along with the patch for this vulnerability  
[13/08/2015] - CVE number requested  
[17/08/2015] - CVE number assigned  
[11/09/2015] - Public disclosure  
  
  
[-] CVE Reference:  
  
The Common Vulnerabilities and Exposures project (cve.mitre.org)  
has assigned the name CVE-2015-6497 to this vulnerability.  
  
  
[-] Credits:  
  
Vulnerability discovered by Egidio Romano of Minded Security.  
  
  
[-] Original Advisory:  
  
http://karmainsecurity.com/KIS-2015-04  
  
  
[-] Other References:  
  
http://blog.mindedsecurity.com/2015/09/autoloaded-file-inclusion-in-magento.html  
`

14 Sep 2015 00:00Current

8.8High risk

Vulners AI Score8.8

EPSS0.02665